Feed
CriticalPublished 12 Jun 2026Updated 21 Jun 20267 packages · 23 versions

Solana FakeFix: JFrog flags 25 npm + PyPI packages stealing Solana keypairs and dev secrets to Telegram

Summary

JFrog Security Research disclosed Solana FakeFix, a 25-package npm/PyPI campaign with two clusters: ~20 Solana typosquats / "stable-build" forks (solana-web3-stable, solana-rpc-client, …) promoted via GitHub issue spam by the PassWord1337 account, and a 5-package CMS-themed Windows loader cluster (cms-storehub, cms-helpgit, cms-github, to-cms, shopifyto-cms). All variants exfiltrate Solana keypairs, SSH keys, cloud creds, and .env secrets to a Telegram bot.

typosquatmaintainer-takeovercredential-theftcrypto-wallet-draininfostealerobfuscation
Detected by
JFrog
Also known as
Solana FakeFix · FakeFix campaign · PassWord1337 Solana spam
Ecosystems
npm
Packages tracked
7

What happened

On 2026-06-12 JFrog Security Research published Solana FakeFix, a 25-package supply-chain operation spanning npm and PyPI that fused two distinct attack patterns under one operator. The campaign was identified through correlated indicators (shared Telegram bot tokens, near-identical postinstall and __init__.py stagers, and a single GitHub social-engineering handle) across releases that initially looked like separate, unrelated typosquat blips.

Cluster 1 — Solana FakeFix (20 packages)

The larger cluster — 16 npm packages and 4 PyPI packages — impersonated legitimate Solana tooling. Names like solana-web3-stable@1.0.0, solana-rpc-client@1.0.0, and the unpublished @solana-labs/web3.js / @solana-labs/spl-toke variants positioned themselves as "stable" forks of @solana/web3.js and @solana/spl-token. The threat actor under the GitHub handle PassWord1337 filed issues on real open-source projects falsely claiming the malicious package was a drop-in fix for common build errors — encouraging victims to run npm uninstall @solana/web3.js && npm install solana-web3-stable themselves.

Early variants relied on a simple postinstall hook firing during npm install; later releases shipped a fully functional Solana bundle with the stealer code injected after the legitimate exports — detection rates drop sharply when the package "just works". On PyPI the malicious code lived in __init__.py, executing on any import. Payload behaviour was consistent across both ecosystems: enumerate Solana keypair files, SSH private keys, AWS credential files, .env files, and any env-var matching KEY|SECRET|MNEMONIC|TOKEN|AWS|GITHUB|CI; POST everything in real time to an attacker-controlled Telegram bot via hard-coded tokens and chat IDs.

solana-web3-stable@1.0.0 was published 2026-06-07 22:57 UTC and unpublished by npm 2026-06-08 16:39 UTC; solana-rpc-client@1.0.0 followed at 2026-06-07 23:01 UTC and was unpublished 2026-06-08 16:39 UTC. The exact full wheel-set list for the remaining ~16 Solana-cluster artefacts is being enumerated through PyPI / npm security; this entry tracks the names whose status we have independently confirmed against the registry.

Cluster 2 — CMS Windows loader (5 packages)

The smaller cluster used CMS / e-commerce-integration package names — cms-storehub, cms-helpgit, cms-github, to-cms, and shopifyto-cms — to deliver a Windows-targeted loader. The npm install-time script is a PowerShell stub that installs the Deno runtime under %LOCALAPPDATA% and uses it to fetch and execute remote JavaScript from attacker infrastructure. Deno bypasses standard node_modules script auditing and lives outside the Node ecosystem most defenders watch.

Version / publish timing in the CMS cluster (all replaced by npm 0.0.1-security holders on 2026-06-01 09:08 UTC):

  • cms-storehub — versions 1.2.7 through 1.3.6, published 2026-05-30
  • cms-helpgit — versions 4.2.2, 4.2.44.2.9, published 2026-05-29
  • cms-github — version 4.2.4, published 2026-05-29
  • to-cms — versions 1.0.0, 1.0.1, published 2026-05-15
  • shopifyto-cms — version 3.0.2, published 2026-05-17

to-cms and shopifyto-cms are simpler download-and-execute droppers — they shell out to fetch and run a payload immediately, no Deno runtime staging. The CMS cluster combined averaged ~80,000 weekly downloads before takedown.

Common thread

JFrog tied the two clusters together via three shared indicators: identical Telegram bot endpoints across both stagers, the same data-collection sweep (Solana keypairs + SSH + AWS + .env + KEY|SECRET|MNEMONIC env scans), and overlapping infrastructure for the remote JS payloads. The social-engineering layer (PassWord1337 GitHub issue spam) is unique to the Solana cluster; the CMS cluster relied purely on opportunistic install through plausible-looking integration package names.

This campaign is distinct from the March 2026 galedonovan Solana / Ethereum typosquats (which intercepted private keys passed through legitimate API calls and also exfiltrated to Telegram) and from the parallel Mini Shai-Hulud / Hades worm waves — FakeFix is wallet-/credential-theft-only, with no self-propagation and no worm component.

Affected packages (7)

  • npmcms-github
    4.2.4
  • npmcms-helpgit
    4.2.24.2.44.2.54.2.64.2.74.2.84.2.9
  • npmcms-storehub
    1.2.71.2.81.2.91.3.01.3.11.3.21.3.31.3.41.3.51.3.6
  • npmshopifyto-cms
    3.0.2
  • npmsolana-rpc-client
    1.0.0
  • npmsolana-web3-stable
    1.0.0
  • npmto-cms
    1.0.01.0.1

Impact

  • postinstall npm lifecycle hook fires the JS payload the moment npm install runs — no import or runtime invocation required, and the Solana-cluster later versions ship a fully functional Solana bundle so consumers see no behavioural breakage
  • PyPI variants stash the payload inside __init__.py, so the stealer runs the moment any script, notebook, or test imports the package
  • Payload sweeps the filesystem for Solana keypair files (id.json, Phantom / Solflare wallet exports), SSH private keys, AWS credential files, .env files, and any process-env vars whose names contain KEY, SECRET, MNEMONIC, TOKEN, AWS, GITHUB, or CI
  • Exfiltration is real-time over Telegram: hard-coded bot tokens + chat IDs POST stolen artefacts directly; later builds add a polling backdoor for interactive commands and a self-update channel
  • CMS-cluster packages (cms-storehub, cms-helpgit, cms-github) use a Windows-specific PowerShell preinstall that installs the Deno runtime, then pulls remote JavaScript from attacker infrastructure — workstations only, but persistence survives reboot
  • to-cms and shopifyto-cms were straight download-and-execute droppers staged through legitimate-looking Shopify/CMS-integration package names
  • Social-engineering vector: PassWord1337 filed GitHub issues on real OSS projects ("error fixed by running npm install solana-web3-stable") — developers chasing a build break were the primary recruitment funnel
  • Estimated combined exposure: ~80,000 weekly downloads across the CMS cluster before npm replaced them with security-holders on 2026-06-01

What to do

  1. 1Grep lockfiles, node_modules, and pip caches for the affected names — solana-web3-stable, solana-rpc-client, cms-storehub, cms-helpgit, cms-github, to-cms, shopifyto-cms — and uninstall any that resolve
  2. 2On any developer workstation or CI runner that installed a Solana-cluster package: assume Solana keypairs, SSH keys, AWS/GCP/Azure credentials, GitHub PATs, npm publish tokens, and .env-resident secrets are compromised; rotate from a known-clean host and sweep wallets for drains
  3. 3On any Windows workstation that installed the CMS-cluster (cms-storehub, cms-helpgit, cms-github): hunt for an unexpected Deno install under %LOCALAPPDATA%\Programs\deno, audit scheduled tasks / Run-keys for persistence, and consider re-imaging — the loader stages an arbitrary remote payload
  4. 4Block outbound to api.telegram.org from CI runners and developer workstations that have no legitimate Telegram integration (the campaign's exclusive C2 channel)
  5. 5Reject any GitHub issue or comment that suggests replacing a legitimate package with a -stable / -fix / -rpc-client variant; the PassWord1337 social-engineering pattern is the campaign's recruitment funnel
  6. 6Audit Solana wallets used on suspected hosts for unauthorised transfers in the 2026-06-07 → 2026-06-08 window

References

multi-2026-06-12-solana-fakefix-jfrog